Technical Staff

Single Sign On

In order to open up new technologies and to improve our user experience, we are moving to a Single Sign On (SSO) authentication system. Some of the benefits of this move are having one account for everything, better security, ability to use newer packages that could not speak with kaserver and better integrate our services with user accounts.

With this comes a new workflow. Click on the headers below to read more about this new workflow.

Configuration

Windows 7 and above

Download and install the OpenAFS Client. If you only belong to the cs.pitt.edu AFS cell, put cs.pitt.edu in as your default cell. Do not reboot if prompted to.

If you downloaded krb5-win7.conf, rename it to krb5.conf. Copy the krb5.conf file to C:\ProgramData\Kerberos\krb5.conf replacing the default krb5.conf file. If you cannot see C:\ProgramData, enable "Show Hidden Files" in Windows Explorer. For information on how to enable "Show Hidden Files", please refer to Microsoft Support.

Reboot your machine.

Mac 10.6 and above

Download and install Auristor. If you only belong to the cs.pitt.edu AFS cell, put cs.pitt.edu in as your default cell.

If this is your only Kerberos 5 realm, move and rename the krb5.conf file to /Library/Preferences/edu.mit.Kerberos. Otherwise, add the DEPT.CS.PITT.EDU realm definition and domain_realm definitions in the downloaded krb5.conf file to your /Library/Preferences/edu.mit.Kerberos file.

Linux

Please refer to your distribution's documentation for installing Kerberos 5 and OpenAFS. You need OpenAFS 1.6.5 or above. If you only belong to the cs.pitt.edu AFS cell, set your default cell to cs.pitt.edu.

If this is your only Kerberos 5 realm, drop the krb5.conf file into /etc. Otherwise, add the DEPT.CS.PITT.EDU realm definition and domain_realm definitions in the downloaded krb5.conf file to your /etc/krb5.conf file. Please check your distribution's documentation to ensure that there is no special way to add a realm.

Usage

You do things a littly differently in this new environment. Below are some common use cases. As a note, all of these are done either in the Window's Command Prompt or in a Mac/Linux terminal app.

Get AFS tokens

We used to use klog to get our AFS tokens. In this new environment, we not only need to get our AFS tokens, we also need to get a Kerberos 5 ticket.

Your Kerberos 5 ticket is what is used to get your AFS tokens. In order to get our Kerberos 5 tickets, do kinit <username> if you only have one realm or have set DEPT.CS.PITT.EDU to your default realm, otherwise do kinit <username>@DEPT.CS.PITT.EDU.

Now to get your afs tokens, simply run aklog. You will not be asked for a password here because your Kerberos 5 ticket is proving that you are who you claim to be.

Check your tickets and tokens

To check your Kerberos 5 tickets (you will have two after doing aklog), do klist. Here you will see information about your tickets. What you need to pay attention to here is the "Expires" and "renew until" timestamps which I will talk about below.

To check your AFS tokens, just do tokens like in our old environment.

Renewing your tickets and tokens

One of the benefits we gain by going with this new system is the ability to renew your tokens without a password. This is where those timestamps I mentioned above come in. The "Expires" timestamp is when your Kerberos 5 ticket will expire. If you allow your ticket to expire, you will need to get a new ticket as described above. However, if you renew your ticket before it expires, you will get a new ticket with a new expiration date. To renew your ticket, do kinit -R. You can subsequently renew your AFS tokens by doing aklog.

The "renew until" timestamp is when your ability to renew without a password runs out. After this time, you will have no choice but to get a new ticket as described above.

Destroying your tickets and tokens

At any point, you can destroy your AFS tokens with unlog and your Kerberos 5 tickets with kdestroy.

Changing your password

You can change your password by doing kpasswd. You can only do this once per day.

Alternative to reauth

In the old environment, we had reauth to keep your tokens alive. In this new one, we have krenew. Krenew will automatically renew your kerberos tickets and afs tokens until the renewal period expires, after which point, you will need obtain a new ticket with kinit.

To use krenew do krenew -b -t -K <minutes>. The arguments mean the following: -b starts krenew in the background, -t renews the afs token and -K <minutes> is how often the kerberos ticket and tokens are renewed.

Troubleshooting

Cannot get a token on Windows / RPC Error / Clock Skew Error

Check the clock on your computer.

AFS relies upon the current time in order to function. One common AFS error is not having the clock on your computer set to the correct time and TIME ZONE.

In Pittsburgh, please make sure your timezone is set to "(UTC-05:00) Eastern Time (US & Canada)"

After changing the timezone and time to be correct, navigate to C:\Users\<your windows username>\AppData\Local\Temp and delete any krb5* files. Reboot your computer and try again.

Java JDK and Kerberos

The Java jdk comes with built in versions of the kerberos binaries. This can cause issues on some configurations.

If you are getting Java errors when you try a kerberos command, check your PATH environment variable. Ensure that wherever the MIT or Heimdal kerberos binaries are located is before Java. If not, please change your PATH environment variable so that kerberos appears before Java. Please refer to your operating systems documentation for how to do this.

Need Help?

Do you need to report a problem or want give us a suggestion? Please:

Random FAQ

What kinds of programs are there on the CS machines?

All the typical UNIX utilities for job control, file manipulation, networking
(ssh, sftp, etc) and C compilation and debugging can be found on each of
the department systems, as well as a lot of public domain software.

The files under the /usr/local/contrib directory are installed and maintained
by faculty and students and are not supported by the department. If you would
like to see a package installed in this directory, first clear it with the tech
staff by sending e-mail to tech@cs.pitt.edu. If approved, you will be asked to build the package for all department architectures;
not just the one you usually use.